Vehicle cybersecurity is getting well-deserved attention. In October, the U.S. National Highway Traffic Safety Administration (NHTSA) issued federal guidance to the automotive industry for improving motor vehicle cybersecurity. Transportation Secretary Anthony Foxx said at the time, “Cybersecurity is a safety issue, and a top priority at the Department.” Thales e-Security, a major security and data protection solutions system supplier, believes the NHTSA guidelines are a good start but don’t go far enough.
In an article on Thales’ blog, Solutions Marketing Manager Jim DeLorenzo wrote, “… it’s great to see the [Department of Transportation] is addressing the growing cyber threats associated with connected vehicles. However, there are a few key elements still missing from the best practices laid out by the NHTSA.”
DeLorenzo started by listing Thales’ opinion of what the NHTSA got right: Controlling access to firmware, limiting the ability to modify security firmware and controlling communication to back-end servers so communication between servers and vehicles can be properly secured.
Thales’ suggestions for taking the government policy on vehicle cybersecurity further include specific steps and a general stance that takes the NHTSA’s recommended guidelines further to enforceable regulations.
Three important security elements currently missing in the NHTSA’s guidance, according to Thales, involve supply chain control, authentication throughout the cybersecurity component and assembly process, and protecting the manufacturing process itself. DeLorenzo wrote that protocols at supplier levels need to be established, documented and enforced. An authentication system should be developed for all levels of component suppliers to be sure that the only components used in systems are those that can be accurately authenticated. In addition, if factory floor security controls aren’t protected, remote access and production modification could subvert the system, either adding faults or malicious code.
On a more general level, Thales’ position is that NHTSA guidelines and recommendations aren’t strong enough. “Overall, the NHTSA’s guidelines are a great first start, especially coming from a prominent industry organization. But with cybersecurity, unfortunately, what we’ve seen in industries across the board is that adequate security is only implemented when required by regulation or other mandate[s],” DeLorenzo wrote.
DeLorenzo told Digital Trends that without some form of “digital credentials” for cybersecurity components and systems, individual cars and entire supply chains are vulnerable. He pointed out the need that all levels of component suppliers use digital birth certificates capable of rigorous authentication before entering the supply chain.
DeLorenzo cautioned that after-market add-on products sold directly to vehicle owners could penetrate the vehicle security controls. Car owners might buy based on flashy features or low prices but be unaware how such devices could jeopardize vehicle security. Similar to the way some scammers and hackers leave thumb drives with malicious code lying around for unsuspecting people to pick up and plug into their computers, DeLorenzo said it was not inconceivable that a “bad actor” could sell a ***y new vehicle accessory at a dirt cheap price so many people would buy it and ultimately give up access not only to their vehicles but to their personal information and their vehicles’ onboard computing and communicating systems.
While films and television show vehicle cyberattacks stopping cars or causing vehicles to change direction, those tactics would not be very likely because they wouldn’t be profitable. In a more likely scenario, the intruding software would leave the vehicle systems alone but scrape identity, banking, and financial information for all users connected to the car and at the same time set up a moving botnet. If you ever connected your phone with a rental car, for example, think how that potential vulnerability could affect a large number of people quickly. Also, there could be a large number of vehicles around the country whose owners were totally unaware that while they were commuting, for example, their vehicles were taking part in a massive Distributed Denial of Service (DDoS) attack.
In the rush to equip vehicles with tech of all types for diagnostics, navigation, driver assistance, autonomous driving, safety features, plus entertainment, infotainment, internet access, and various communications modes, without mandatory security precautions and rigorous enforcement, our ever-more connected cars could also become ever-more hacked.